Analysis Overview
SHA256
b2da2a7e096b70ea8c3fb755389ba54288a3ba73f823297f96eac2626e13c519
Threat Level: Known bad
The file start-update(repair).msi was found to be: Known bad.
Malicious Activity Summary
DarkGate
Loads dropped DLL
Modifies file permissions
Executes dropped EXE
Enumerates connected drives
Drops file in Windows directory
Suspicious use of FindShellTrayWindow
Uses Volume Shadow Copy service COM API
Checks processor information in registry
Suspicious use of AdjustPrivilegeToken
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Checks SCSI registry key(s)
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-10-27 06:39
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-10-27 06:39
Reported
2023-10-27 06:42
Platform
win7-20231023-en
Max time kernel
122s
Max time network
125s
Command Line
Signatures
DarkGate
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MW-5eccd727-60e0-47f8-9705-16d5363c213e\files\windbg.exe | N/A |
| N/A | N/A | \??\c:\tmpa\Autoit3.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MW-5eccd727-60e0-47f8-9705-16d5363c213e\files\windbg.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MW-5eccd727-60e0-47f8-9705-16d5363c213e\files\windbg.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\ICACLS.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\ICACLS.EXE | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\INF\setupapi.ev3 | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.ev1 | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.dev.log | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\Installer\ | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\f76a600.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\f76a5ff.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\f76a5ff.msi | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\f76a600.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIAF81.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Logs\DPX\setupact.log | C:\Windows\SysWOW64\EXPAND.EXE | N/A |
| File opened for modification | C:\Windows\Logs\DPX\setuperr.log | C:\Windows\SysWOW64\EXPAND.EXE | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | \??\c:\tmpa\Autoit3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | \??\c:\tmpa\Autoit3.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\system32\DrvInst.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Processes
C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\start-update(repair).msi
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005B0" "0000000000000598"
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding A5C09969A3B60E733CD9178E00813446
C:\Windows\SysWOW64\ICACLS.EXE
"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-5eccd727-60e0-47f8-9705-16d5363c213e\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
C:\Windows\SysWOW64\EXPAND.EXE
"C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
C:\Users\Admin\AppData\Local\Temp\MW-5eccd727-60e0-47f8-9705-16d5363c213e\files\windbg.exe
"C:\Users\Admin\AppData\Local\Temp\MW-5eccd727-60e0-47f8-9705-16d5363c213e\files\windbg.exe"
\??\c:\tmpa\Autoit3.exe
c:\tmpa\Autoit3.exe c:\tmpa\script.au3
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c rd /s /q "C:\Users\Admin\AppData\Local\Temp\MW-5eccd727-60e0-47f8-9705-16d5363c213e\files"
C:\Windows\SysWOW64\ICACLS.EXE
"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-5eccd727-60e0-47f8-9705-16d5363c213e\." /SETINTEGRITYLEVEL (CI)(OI)LOW
Network
Files
C:\Windows\Installer\MSIAF81.tmp
| MD5 | d82b3fb861129c5d71f0cd2874f97216 |
| SHA1 | f3fe341d79224126e950d2691d574d147102b18d |
| SHA256 | 107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c |
| SHA512 | 244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b |
\Windows\Installer\MSIAF81.tmp
| MD5 | d82b3fb861129c5d71f0cd2874f97216 |
| SHA1 | f3fe341d79224126e950d2691d574d147102b18d |
| SHA256 | 107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c |
| SHA512 | 244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b |
C:\Users\Admin\AppData\Local\Temp\MW-5eccd727-60e0-47f8-9705-16d5363c213e\msiwrapper.ini
| MD5 | efc75a5fd5b69d96b32582c42a2278d1 |
| SHA1 | 77033ad20bb1b4b81f1e9becaaf4254177869e09 |
| SHA256 | 4ad7366d512ebe9f7d612b54ede1c7ac502994a0e7156770f1a1596c3e605631 |
| SHA512 | f85e01ba7ffc9fd4f6b758d8cce43607d7f1d57eff44d266c1f4fb773542e4aeafe5bba921abae01503a432ca7d48cbaab0702884d70f360dee40e5376155ec1 |
C:\Users\Admin\AppData\Local\Temp\MW-5eccd727-60e0-47f8-9705-16d5363c213e\files.cab
| MD5 | 5b5ab7c7be9c3acb6f9f0fe2ac76ce8f |
| SHA1 | 969e7b4012bc9c1fc1abbe87190acaa390fb2e3b |
| SHA256 | 93fdc6e8c29be82cdfcc0672de665ad0eb3b9ea6166c46d08a9e4b6018e605bd |
| SHA512 | 074dcf1fe1976ad0a0030f9fdb785ffa456e4e24128c067d2bd3d07527e296d48f241bc9fba56c80d3cf7db84d3c0c7c6a056fea7b158fe2d45be655c1f619c4 |
C:\Users\Admin\AppData\Local\Temp\MW-5eccd727-60e0-47f8-9705-16d5363c213e\msiwrapper.ini
| MD5 | efc75a5fd5b69d96b32582c42a2278d1 |
| SHA1 | 77033ad20bb1b4b81f1e9becaaf4254177869e09 |
| SHA256 | 4ad7366d512ebe9f7d612b54ede1c7ac502994a0e7156770f1a1596c3e605631 |
| SHA512 | f85e01ba7ffc9fd4f6b758d8cce43607d7f1d57eff44d266c1f4fb773542e4aeafe5bba921abae01503a432ca7d48cbaab0702884d70f360dee40e5376155ec1 |
\Users\Admin\AppData\Local\Temp\MW-5eccd727-60e0-47f8-9705-16d5363c213e\files\windbg.exe
| MD5 | 04ec4f58a1f4a87b5eeb1f4b7afc48e0 |
| SHA1 | 58dcb1cbbec071d036a07f0e8feb858e4c5b96e7 |
| SHA256 | bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4 |
| SHA512 | 5b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80 |
C:\Users\Admin\AppData\Local\Temp\MW-5eccd727-60e0-47f8-9705-16d5363c213e\files\windbg.exe
| MD5 | 04ec4f58a1f4a87b5eeb1f4b7afc48e0 |
| SHA1 | 58dcb1cbbec071d036a07f0e8feb858e4c5b96e7 |
| SHA256 | bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4 |
| SHA512 | 5b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80 |
\Users\Admin\AppData\Local\Temp\MW-5eccd727-60e0-47f8-9705-16d5363c213e\files\windbg.exe
| MD5 | 04ec4f58a1f4a87b5eeb1f4b7afc48e0 |
| SHA1 | 58dcb1cbbec071d036a07f0e8feb858e4c5b96e7 |
| SHA256 | bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4 |
| SHA512 | 5b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80 |
\Users\Admin\AppData\Local\Temp\MW-5eccd727-60e0-47f8-9705-16d5363c213e\files\windbg.exe
| MD5 | 04ec4f58a1f4a87b5eeb1f4b7afc48e0 |
| SHA1 | 58dcb1cbbec071d036a07f0e8feb858e4c5b96e7 |
| SHA256 | bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4 |
| SHA512 | 5b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80 |
\Users\Admin\AppData\Local\Temp\MW-5eccd727-60e0-47f8-9705-16d5363c213e\files\windbg.exe
| MD5 | 04ec4f58a1f4a87b5eeb1f4b7afc48e0 |
| SHA1 | 58dcb1cbbec071d036a07f0e8feb858e4c5b96e7 |
| SHA256 | bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4 |
| SHA512 | 5b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80 |
C:\Users\Admin\AppData\Local\Temp\MW-5eccd727-60e0-47f8-9705-16d5363c213e\files\windbg.exe
| MD5 | 04ec4f58a1f4a87b5eeb1f4b7afc48e0 |
| SHA1 | 58dcb1cbbec071d036a07f0e8feb858e4c5b96e7 |
| SHA256 | bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4 |
| SHA512 | 5b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80 |
C:\Users\Admin\AppData\Local\Temp\MW-5eccd727-60e0-47f8-9705-16d5363c213e\files\dbgeng.dll
| MD5 | f540f998d60d6fc1c23f942ed5857296 |
| SHA1 | 1ef333bfea08b37cda99ea1353d52928a4458f28 |
| SHA256 | d37e54faccf247c73e59fec33001000567e44a4e0adf6f637c3aea32e76d8b11 |
| SHA512 | e3369f9848dcb0661c5d932f0702dffa304541b6a7a0a8c9753247cde1083277cd4ac3600927476dafc7be73fe0bae2ace0c7e7320ae8ac9fea0660edb777b9c |
\Users\Admin\AppData\Local\Temp\MW-5eccd727-60e0-47f8-9705-16d5363c213e\files\dbgeng.dll
| MD5 | f540f998d60d6fc1c23f942ed5857296 |
| SHA1 | 1ef333bfea08b37cda99ea1353d52928a4458f28 |
| SHA256 | d37e54faccf247c73e59fec33001000567e44a4e0adf6f637c3aea32e76d8b11 |
| SHA512 | e3369f9848dcb0661c5d932f0702dffa304541b6a7a0a8c9753247cde1083277cd4ac3600927476dafc7be73fe0bae2ace0c7e7320ae8ac9fea0660edb777b9c |
memory/1252-101-0x0000000000200000-0x000000000034B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\MW-5eccd727-60e0-47f8-9705-16d5363c213e\files\data.bin
| MD5 | 8b305b67e45165844d2f8547a085d782 |
| SHA1 | 92b8ed7652e61fdf3acb4ce74f48bcc9ed14b722 |
| SHA256 | 776622a88a71b989ae022dae2bfbe52d5f00024970548a465046b742089aa50b |
| SHA512 | 2bd688ab072464ed54ea111a07e44f130a6db2c51e6f5ede1d8583b31791ad3eb2ea51114e6ac624a50118f17dfd3ec3d72c7df00d8be3b4ef4dcd7b72a0dfe6 |
C:\Users\Admin\AppData\Local\Temp\MW-5eccd727-60e0-47f8-9705-16d5363c213e\files\data2.bin
| MD5 | 3748804e1be2dd45292e783c133ada76 |
| SHA1 | db35407fd6840161f48a2d21b1415098a968cb08 |
| SHA256 | 013cd1c2ba6bc1e701a88712f0ed029ec392ebc4b7ca748c7b43f6963cc51d69 |
| SHA512 | 1073614b3ae06b90bf02588dabe5767ad5246205c4dfdd6c3b486ee6f0909f30fa61fa61adbef540f53f15d7bbfe31c5d7037876f0d1aa8f616d13abd36ce168 |
memory/1252-105-0x00000000008D0000-0x00000000009D0000-memory.dmp
\tmpa\Autoit3.exe
| MD5 | c56b5f0201a3b3de53e561fe76912bfd |
| SHA1 | 2a4062e10a5de813f5688221dbeb3f3ff33eb417 |
| SHA256 | 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d |
| SHA512 | 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c |
C:\tmpa\Autoit3.exe
| MD5 | c56b5f0201a3b3de53e561fe76912bfd |
| SHA1 | 2a4062e10a5de813f5688221dbeb3f3ff33eb417 |
| SHA256 | 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d |
| SHA512 | 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c |
memory/1252-112-0x0000000000200000-0x000000000034B000-memory.dmp
\??\c:\tmpa\script.au3
| MD5 | f459ad2144b763a9b47f47d0fd4150c3 |
| SHA1 | c6751098ad5cbbd2191f9308a6d0be30a0d54cd1 |
| SHA256 | 481307e8ff14ab55e77e4909419ea1cccb2722eae34f7c6135baa0b4bc341ae5 |
| SHA512 | 02cd6acb67aa08dc6cef4221ec12d1573946b6c06754346bf4d192c81470a672bb2905c5ad364c119e57b41f155bc3dcd7c2333bccc17e0dbd85ac1d5706a8a6 |
memory/1052-117-0x0000000000C20000-0x0000000001020000-memory.dmp
memory/1052-118-0x0000000002FA0000-0x00000000032CA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\MW-5eccd727-60e0-47f8-9705-16d5363c213e\files\00001-~1.PNG
| MD5 | a384c8b03d6d72e9f9e268d265e8b435 |
| SHA1 | 3b238b66b33e2dc191da037973a79f01d50ee2d4 |
| SHA256 | 9310b4483d9e20dfdc28e8603a026f0c52b07089a290955629970b96a51b977b |
| SHA512 | 94ada636935ecf52ce4625b23216b0dde06e58fd09f34a4727531bf5299d45b5e705b8c043713f14cc8c007ba82645a0dc54402badea418bf3677967c960c565 |
C:\Users\Admin\AppData\Local\Temp\MW-5eccd727-60e0-47f8-9705-16d5363c213e\files\00000-~1.PNG
| MD5 | c5f6eb13db175fbcd0925434424df781 |
| SHA1 | 2197137928fff79f8b11e966ffb6a9eb5112a3c8 |
| SHA256 | 6571ea1fa9e8427418ab40ab1ea6e1555b7c59a2579b2f34dded39d81e8def50 |
| SHA512 | 40eca3c9a3c2ca653c5c78d1205250b2077265ad5cfb9609a6b34649699b62236c61d5cdb415767749ff86e91afe6830d98e6f5eb3390b2c57d28b4a45a220a4 |
C:\Users\Admin\AppData\Local\Temp\MW-5eccd727-60e0-47f8-9705-16d5363c213e\files\00005-~1.PNG
| MD5 | 66732fccbeee97415b033c017e594196 |
| SHA1 | 6db8fada912e6ea219b526cbe1a136a6afdabffb |
| SHA256 | dbefd6274b1ffc0d387d76972a9d93ea862d3be451aa3d0b8e0335708136addc |
| SHA512 | 70b11b616b108e284d8f47e9881db5c15e2a5d8ee41d6d0e26b43de19203811da6402e8f47d1845bc30e9ba8cbe71195c8594723c5ac966521dda2dc39f4a248 |
C:\Users\Admin\AppData\Local\Temp\MW-5eccd727-60e0-47f8-9705-16d5363c213e\files\00004-~1.PNG
| MD5 | 2ccc17c1a5bb5e656e7f3bb09ff0beff |
| SHA1 | 05866cf7dd5fa99ea852b01c2791b30e7741ea19 |
| SHA256 | 411b6ce9e97a4d828ab43dcf896f8ea09b5e9dc02874909f53ca1e0f10caeed2 |
| SHA512 | 46b7362a2df870018707d89a7340ac0c07a2a357c504dbd944699c0231b4f984661b9f112b9d4869e55cf208ed5968f3ec5b5b35a956329679fb6e48ada7c4c5 |
C:\Users\Admin\AppData\Local\Temp\MW-5eccd727-60e0-47f8-9705-16d5363c213e\files\00003-~1.PNG
| MD5 | 3f3788816f75078edb9817a98259a223 |
| SHA1 | 1eb191dd0dcff72f5922aa775dc95dced7967bd5 |
| SHA256 | a2f02cb0c6dbba41b8a4572c4546fbb7216efe8dc18ccef16e1a14d7f8ccddd0 |
| SHA512 | 2c17408796ba518ad117983526f5c0380a36b6f18974132a69923e95288c3ced9ca05e615ea5d567bde100c4cd8469bf172daba96f4e5032520ccb75560d5b62 |
C:\Users\Admin\AppData\Local\Temp\MW-5eccd727-60e0-47f8-9705-16d5363c213e\files\00002-~1.PNG
| MD5 | 92028b5b43ea981f2172f2e9ce6556bf |
| SHA1 | 6da86abe3bc0caf500908ec7b8e841b797948fec |
| SHA256 | 7d5d5115c1f29592dba340a167e7144a539df8201578913fbbbb428b26d8c7ed |
| SHA512 | 1af0cb17ff6b09c49c0ea7433d665b123ea7e7c6a46c06088bfaeaee3a3ce01aab27105a36f906a17dc0c29c830ef54fb4b005b47cdecd3612ce9f0d3059c62f |
memory/1052-127-0x0000000000C20000-0x0000000001020000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-10-27 06:39
Reported
2023-10-27 06:42
Platform
win10v2004-20231020-en
Max time kernel
93s
Max time network
155s
Command Line
Signatures
DarkGate
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MW-04f94b3b-543e-479a-b3d5-948777cd54e9\files\windbg.exe | N/A |
| N/A | N/A | \??\c:\tmpa\Autoit3.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MW-04f94b3b-543e-479a-b3d5-948777cd54e9\files\windbg.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MW-04f94b3b-543e-479a-b3d5-948777cd54e9\files\windbg.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\ICACLS.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\ICACLS.EXE | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Installer\SourceHash{238BFD3C-CA99-478E-837B-6A9C2A931AA3} | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\LOGS\DPX\setupact.log | C:\Windows\SysWOW64\EXPAND.EXE | N/A |
| File opened for modification | C:\Windows\LOGS\DPX\setuperr.log | C:\Windows\SysWOW64\EXPAND.EXE | N/A |
| File opened for modification | C:\Windows\Installer\MSI1058.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\inprogressinstallinfo.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIFC42.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI1068.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\e57fa8c.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\e57fa8c.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\ | C:\Windows\system32\msiexec.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters | C:\Windows\system32\vssvc.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters | C:\Windows\system32\vssvc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr | C:\Windows\system32\vssvc.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000000299f28d78dcfadf0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800000299f28d0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809000299f28d000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d0299f28d000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000299f28d00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\system32\vssvc.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\system32\vssvc.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | \??\c:\tmpa\Autoit3.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | \??\c:\tmpa\Autoit3.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Processes
C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\start-update(repair).msi
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 385D05911CF6505E863CDC9F2251F3D8
C:\Windows\SysWOW64\ICACLS.EXE
"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-04f94b3b-543e-479a-b3d5-948777cd54e9\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
C:\Windows\SysWOW64\EXPAND.EXE
"C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
C:\Users\Admin\AppData\Local\Temp\MW-04f94b3b-543e-479a-b3d5-948777cd54e9\files\windbg.exe
"C:\Users\Admin\AppData\Local\Temp\MW-04f94b3b-543e-479a-b3d5-948777cd54e9\files\windbg.exe"
\??\c:\tmpa\Autoit3.exe
c:\tmpa\Autoit3.exe c:\tmpa\script.au3
C:\Windows\SysWOW64\ICACLS.EXE
"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-04f94b3b-543e-479a-b3d5-948777cd54e9\." /SETINTEGRITYLEVEL (CI)(OI)LOW
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.3.197.209.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.209.218.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.210.218.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.111.26.67.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
Files
C:\Windows\Installer\MSIFC42.tmp
| MD5 | d82b3fb861129c5d71f0cd2874f97216 |
| SHA1 | f3fe341d79224126e950d2691d574d147102b18d |
| SHA256 | 107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c |
| SHA512 | 244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b |
C:\Windows\Installer\MSIFC42.tmp
| MD5 | d82b3fb861129c5d71f0cd2874f97216 |
| SHA1 | f3fe341d79224126e950d2691d574d147102b18d |
| SHA256 | 107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c |
| SHA512 | 244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b |
C:\Users\Admin\AppData\Local\Temp\MW-04f94b3b-543e-479a-b3d5-948777cd54e9\msiwrapper.ini
| MD5 | 7b9227d19185d244e78e854641b6b866 |
| SHA1 | 570cda8e7c975f3b5ad92377516acffc56866889 |
| SHA256 | c8ef0e37d4aad1734c468b3ee7e23d26dc5197443507ad68b7d1b8120ecf4815 |
| SHA512 | 257df2eefea69aa3754deca72f9e1983a5f1298c2f88fecee41ac180f53564243eda9251523b6cdd54722c5a9f200b484982a02ff1d04dc7c0f655942090d560 |
C:\Users\Admin\AppData\Local\Temp\MW-04f94b3b-543e-479a-b3d5-948777cd54e9\msiwrapper.ini
| MD5 | 255b3fe63d6247c5374bf07aaeb3f20d |
| SHA1 | d41bd4e313f50e9fb81edd9b8445d5ba64b80082 |
| SHA256 | 76c68a4dcbfc60d6731f2e77991d173ac72f874cd1b79b83e7c90adbf789777b |
| SHA512 | cb83bce1962696a0a887aedb74b5e761d10de7fac899011ae86e8a32ca104684d3a4b2cde74589e0583a434fd33382a0d12855c376e9787849b5783824a1e47c |
C:\Users\Admin\AppData\Local\Temp\MW-04f94b3b-543e-479a-b3d5-948777cd54e9\msiwrapper.ini
| MD5 | 255b3fe63d6247c5374bf07aaeb3f20d |
| SHA1 | d41bd4e313f50e9fb81edd9b8445d5ba64b80082 |
| SHA256 | 76c68a4dcbfc60d6731f2e77991d173ac72f874cd1b79b83e7c90adbf789777b |
| SHA512 | cb83bce1962696a0a887aedb74b5e761d10de7fac899011ae86e8a32ca104684d3a4b2cde74589e0583a434fd33382a0d12855c376e9787849b5783824a1e47c |
C:\Users\Admin\AppData\Local\Temp\MW-04f94b3b-543e-479a-b3d5-948777cd54e9\files.cab
| MD5 | 5b5ab7c7be9c3acb6f9f0fe2ac76ce8f |
| SHA1 | 969e7b4012bc9c1fc1abbe87190acaa390fb2e3b |
| SHA256 | 93fdc6e8c29be82cdfcc0672de665ad0eb3b9ea6166c46d08a9e4b6018e605bd |
| SHA512 | 074dcf1fe1976ad0a0030f9fdb785ffa456e4e24128c067d2bd3d07527e296d48f241bc9fba56c80d3cf7db84d3c0c7c6a056fea7b158fe2d45be655c1f619c4 |
C:\Users\Admin\AppData\Local\Temp\MW-04f94b3b-543e-479a-b3d5-948777cd54e9\files\windbg.exe
| MD5 | 04ec4f58a1f4a87b5eeb1f4b7afc48e0 |
| SHA1 | 58dcb1cbbec071d036a07f0e8feb858e4c5b96e7 |
| SHA256 | bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4 |
| SHA512 | 5b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80 |
C:\Users\Admin\AppData\Local\Temp\MW-04f94b3b-543e-479a-b3d5-948777cd54e9\files\windbg.exe
| MD5 | 04ec4f58a1f4a87b5eeb1f4b7afc48e0 |
| SHA1 | 58dcb1cbbec071d036a07f0e8feb858e4c5b96e7 |
| SHA256 | bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4 |
| SHA512 | 5b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80 |
C:\Users\Admin\AppData\Local\Temp\MW-04f94b3b-543e-479a-b3d5-948777cd54e9\files\dbgeng.dll
| MD5 | f540f998d60d6fc1c23f942ed5857296 |
| SHA1 | 1ef333bfea08b37cda99ea1353d52928a4458f28 |
| SHA256 | d37e54faccf247c73e59fec33001000567e44a4e0adf6f637c3aea32e76d8b11 |
| SHA512 | e3369f9848dcb0661c5d932f0702dffa304541b6a7a0a8c9753247cde1083277cd4ac3600927476dafc7be73fe0bae2ace0c7e7320ae8ac9fea0660edb777b9c |
memory/4932-98-0x0000000000760000-0x00000000008AB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\MW-04f94b3b-543e-479a-b3d5-948777cd54e9\files\dbgeng.dll
| MD5 | f540f998d60d6fc1c23f942ed5857296 |
| SHA1 | 1ef333bfea08b37cda99ea1353d52928a4458f28 |
| SHA256 | d37e54faccf247c73e59fec33001000567e44a4e0adf6f637c3aea32e76d8b11 |
| SHA512 | e3369f9848dcb0661c5d932f0702dffa304541b6a7a0a8c9753247cde1083277cd4ac3600927476dafc7be73fe0bae2ace0c7e7320ae8ac9fea0660edb777b9c |
C:\Users\Admin\AppData\Local\Temp\MW-04f94b3b-543e-479a-b3d5-948777cd54e9\files\dbgeng.dll
| MD5 | f540f998d60d6fc1c23f942ed5857296 |
| SHA1 | 1ef333bfea08b37cda99ea1353d52928a4458f28 |
| SHA256 | d37e54faccf247c73e59fec33001000567e44a4e0adf6f637c3aea32e76d8b11 |
| SHA512 | e3369f9848dcb0661c5d932f0702dffa304541b6a7a0a8c9753247cde1083277cd4ac3600927476dafc7be73fe0bae2ace0c7e7320ae8ac9fea0660edb777b9c |
C:\Users\Admin\AppData\Local\Temp\MW-04f94b3b-543e-479a-b3d5-948777cd54e9\files\data.bin
| MD5 | 8b305b67e45165844d2f8547a085d782 |
| SHA1 | 92b8ed7652e61fdf3acb4ce74f48bcc9ed14b722 |
| SHA256 | 776622a88a71b989ae022dae2bfbe52d5f00024970548a465046b742089aa50b |
| SHA512 | 2bd688ab072464ed54ea111a07e44f130a6db2c51e6f5ede1d8583b31791ad3eb2ea51114e6ac624a50118f17dfd3ec3d72c7df00d8be3b4ef4dcd7b72a0dfe6 |
C:\Users\Admin\AppData\Local\Temp\MW-04f94b3b-543e-479a-b3d5-948777cd54e9\files\data2.bin
| MD5 | 3748804e1be2dd45292e783c133ada76 |
| SHA1 | db35407fd6840161f48a2d21b1415098a968cb08 |
| SHA256 | 013cd1c2ba6bc1e701a88712f0ed029ec392ebc4b7ca748c7b43f6963cc51d69 |
| SHA512 | 1073614b3ae06b90bf02588dabe5767ad5246205c4dfdd6c3b486ee6f0909f30fa61fa61adbef540f53f15d7bbfe31c5d7037876f0d1aa8f616d13abd36ce168 |
memory/4932-102-0x00000000008B0000-0x00000000009B0000-memory.dmp
C:\tmpa\Autoit3.exe
| MD5 | c56b5f0201a3b3de53e561fe76912bfd |
| SHA1 | 2a4062e10a5de813f5688221dbeb3f3ff33eb417 |
| SHA256 | 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d |
| SHA512 | 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c |
memory/4932-107-0x0000000000760000-0x00000000008AB000-memory.dmp
\??\c:\tmpa\script.au3
| MD5 | f459ad2144b763a9b47f47d0fd4150c3 |
| SHA1 | c6751098ad5cbbd2191f9308a6d0be30a0d54cd1 |
| SHA256 | 481307e8ff14ab55e77e4909419ea1cccb2722eae34f7c6135baa0b4bc341ae5 |
| SHA512 | 02cd6acb67aa08dc6cef4221ec12d1573946b6c06754346bf4d192c81470a672bb2905c5ad364c119e57b41f155bc3dcd7c2333bccc17e0dbd85ac1d5706a8a6 |
C:\Users\Admin\AppData\Local\Temp\MW-04f94b3b-543e-479a-b3d5-948777cd54e9\files\00000-602071660.png
| MD5 | c5f6eb13db175fbcd0925434424df781 |
| SHA1 | 2197137928fff79f8b11e966ffb6a9eb5112a3c8 |
| SHA256 | 6571ea1fa9e8427418ab40ab1ea6e1555b7c59a2579b2f34dded39d81e8def50 |
| SHA512 | 40eca3c9a3c2ca653c5c78d1205250b2077265ad5cfb9609a6b34649699b62236c61d5cdb415767749ff86e91afe6830d98e6f5eb3390b2c57d28b4a45a220a4 |
C:\Users\Admin\AppData\Local\Temp\MW-04f94b3b-543e-479a-b3d5-948777cd54e9\msiwrapper.ini
| MD5 | 9a0d2fc6890ea90bd190a878cd2b7523 |
| SHA1 | e6f2f7cc87f540a845446dd262a212528a5924fb |
| SHA256 | 74393510147032834513b3230150dac7a8738e9f979122c41a865383effc64ab |
| SHA512 | 3fcca4e27bb0d0ee497067d48c87fa8048a9a0451b6e0b09123d3d46f46e6663ed92cf9e83b755cb0e6af40bcf936837a5718e7d5e761a41555684a98355c497 |
C:\Users\Admin\AppData\Local\Temp\MW-04f94b3b-543e-479a-b3d5-948777cd54e9\files\00005-3931689802.png
| MD5 | 66732fccbeee97415b033c017e594196 |
| SHA1 | 6db8fada912e6ea219b526cbe1a136a6afdabffb |
| SHA256 | dbefd6274b1ffc0d387d76972a9d93ea862d3be451aa3d0b8e0335708136addc |
| SHA512 | 70b11b616b108e284d8f47e9881db5c15e2a5d8ee41d6d0e26b43de19203811da6402e8f47d1845bc30e9ba8cbe71195c8594723c5ac966521dda2dc39f4a248 |
memory/5036-118-0x0000000003B30000-0x0000000003E5A000-memory.dmp
memory/5036-117-0x0000000000E60000-0x0000000001260000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\MW-04f94b3b-543e-479a-b3d5-948777cd54e9\files\00004-4001132497.png
| MD5 | 2ccc17c1a5bb5e656e7f3bb09ff0beff |
| SHA1 | 05866cf7dd5fa99ea852b01c2791b30e7741ea19 |
| SHA256 | 411b6ce9e97a4d828ab43dcf896f8ea09b5e9dc02874909f53ca1e0f10caeed2 |
| SHA512 | 46b7362a2df870018707d89a7340ac0c07a2a357c504dbd944699c0231b4f984661b9f112b9d4869e55cf208ed5968f3ec5b5b35a956329679fb6e48ada7c4c5 |
C:\Users\Admin\AppData\Local\Temp\MW-04f94b3b-543e-479a-b3d5-948777cd54e9\files\00003-1310450276.png
| MD5 | 3f3788816f75078edb9817a98259a223 |
| SHA1 | 1eb191dd0dcff72f5922aa775dc95dced7967bd5 |
| SHA256 | a2f02cb0c6dbba41b8a4572c4546fbb7216efe8dc18ccef16e1a14d7f8ccddd0 |
| SHA512 | 2c17408796ba518ad117983526f5c0380a36b6f18974132a69923e95288c3ced9ca05e615ea5d567bde100c4cd8469bf172daba96f4e5032520ccb75560d5b62 |
C:\Users\Admin\AppData\Local\Temp\MW-04f94b3b-543e-479a-b3d5-948777cd54e9\files\00002-1969081335.png
| MD5 | 92028b5b43ea981f2172f2e9ce6556bf |
| SHA1 | 6da86abe3bc0caf500908ec7b8e841b797948fec |
| SHA256 | 7d5d5115c1f29592dba340a167e7144a539df8201578913fbbbb428b26d8c7ed |
| SHA512 | 1af0cb17ff6b09c49c0ea7433d665b123ea7e7c6a46c06088bfaeaee3a3ce01aab27105a36f906a17dc0c29c830ef54fb4b005b47cdecd3612ce9f0d3059c62f |
C:\Users\Admin\AppData\Local\Temp\MW-04f94b3b-543e-479a-b3d5-948777cd54e9\files\00001-3764640629.png
| MD5 | a384c8b03d6d72e9f9e268d265e8b435 |
| SHA1 | 3b238b66b33e2dc191da037973a79f01d50ee2d4 |
| SHA256 | 9310b4483d9e20dfdc28e8603a026f0c52b07089a290955629970b96a51b977b |
| SHA512 | 94ada636935ecf52ce4625b23216b0dde06e58fd09f34a4727531bf5299d45b5e705b8c043713f14cc8c007ba82645a0dc54402badea418bf3677967c960c565 |
C:\Windows\Installer\MSI1068.tmp
| MD5 | d82b3fb861129c5d71f0cd2874f97216 |
| SHA1 | f3fe341d79224126e950d2691d574d147102b18d |
| SHA256 | 107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c |
| SHA512 | 244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b |
C:\Windows\Installer\MSI1068.tmp
| MD5 | d82b3fb861129c5d71f0cd2874f97216 |
| SHA1 | f3fe341d79224126e950d2691d574d147102b18d |
| SHA256 | 107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c |
| SHA512 | 244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b |
\??\Volume{8df29902-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{242d532e-ede1-4ddc-8bb4-3841713fa4c4}_OnDiskSnapshotProp
| MD5 | 33fbb2f15d84e6c60bbf2fdd3534b934 |
| SHA1 | 0c58452904f5341fefbb2b3db4c8d5cef0eee203 |
| SHA256 | 3ea372c5aa8ac5f7eff25cd1c7e50420d72852537f2342b770bcd88325e9ad1b |
| SHA512 | 57851587badf66256e20c2a735db99ae3df760dafa95fce47ee52860cfcbcc6e88af0ffacf867b38df2aface7a56ab12fee0b99bfd00a4dc29b7dfb2d9e169d9 |
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
| MD5 | 897029319b528c168165ac158ca8272b |
| SHA1 | 8b5800738f800732eb3942b152f422ee08a87923 |
| SHA256 | 81a14174784a440bbc62be6c5b0ca4b2f71549063e7034be718d14a1fcf8b6f5 |
| SHA512 | 8bfbb71c27f3c507b4737e151ac6594caf40dd3c342a147a16ecf86cc687d176282c3bdb9a18db8f1ed1aa6f68ecbcce4c3b458769a5d8a9b1cb16006c5c2a48 |